If the vAMI uses PKI Class 3 or Class 4 certificates, the certificates must be DoD- or CNSS-approved. If the vAMI does not use PKI Class 3 or Class 4 certificates, this requirement is Not Applicable.

Overview

Finding ID	Version	Rule ID	IA Controls	Severity
V-90273	VRAU-VA-000640	SV-100923r1_rule		Medium

Description
Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

Description

Class 3 PKI certificates are used for servers and software signing rather than for identifying individuals. Class 4 certificates are used for business-to-business transactions. Utilizing unapproved certificates not issued or approved by DoD or CNS creates an integrity risk. The vAMI must utilize approved DoD or CNS Class 3 or Class 4 certificates for software signing and business-to-business transactions.

STIG	Date
VMW vRealize Automation 7.x vAMI Security Technical Implementation Guide	2018-10-12

Details

Check Text ( C-89965r1_chk )
Interview the ISSO and/or the SA. Determine if the vAMI is using PKI Class 3 or Class 4 certificates. If the vAMI is using PKI Class 3 or Class 4 certificates, and the certificates are not DoD- or CNSS-approved, this is a finding.

Fix Text (F-97015r1_fix)
If the vAMI is using PKI Class 3 or Class 4 certificates, install certificates that are DoD or CNSS approved.